Telephony networks are exceedingly complex systems. While once designed, manufactured, and run by a single company, today's telephone networks are an elaborate combination of many different technologies.
There are three general classes of telephony networks: public switched telephone networks (PSTNs), cellular networks, and voice over internet protocol (VoIP) networks. PSTNs are traditional, circuit-switched telephony systems. These networks are generally characterized by lossless connections and high fidelity audio. Components of the cores of some PSTNs are being replaced by internet protocol (IP) connections, but private links of PSTNs remain tightly controlled to ensure near-zero packet loss. Like PSTN systems, cellular networks have a circuit-switched core, with portions currently being replaced by IP links. While these networks can have considerably different technologies deployed in their wireless interfaces, the cores of cellular networks are extremely similar to PSTN networks. Lastly, VoIP networks run on top of IP links and generally share paths as other Internet-based traffic.
The current telephony infrastructure allows users to communicate using a variety of technologies. Circuit-switched landlines continue to provide telephony to the majority of homes and businesses. Mobile phones now offer service to more than four billion users over cellular networks. VoIP allows users to inexpensively communicate with each other irrespective of the geographical distances, using mobile phones and other computing devices. Each of these telecommunication networks adopts its own set of standards, including underlying transport protocols and codecs used, yet they seamlessly interact through a variety of conversion mechanisms. A call may traverse multiple types of networks, taking advantage of the benefits offered by each before reaching its final destination.
The diversification of telephony infrastructure significantly reduces the integrity associated with call metadata, such as caller identification, because metadata is either not transferred across these networks or is transferred without verification. As a result, metadata can be easily manipulated by hardware or software when passing between networks. For example, between Jan. 21 and 26 of 2010, customers of banks in four states received calls asking them to reveal personal information, including credit card and PIN details. Many of these attacks used VoIP phones to anonymously and inexpensively dial a large number of customers while forging the Caller-IDs of the applicable banks.
Similarly, fraudsters have used phishing emails that ask a bank's customers to dial *67 followed by a phone number that is claimed to belong to the bank but in reality belongs to a fraudster. After a customer follows these instructions, all further phone calls going to the customer phone are forwarded to the fraudster's number. Therefore anytime the bank attempts to call the customer, the call instead reaches the fraudster, which breaks many of the multi-factor authentication mechanisms currently employed by various banks.